research projects – e.g. age, ethnicity, gender, employment, political views, religious beliefs, etc – but this will be done under the specific ethical terms and conditions governing each individual project. This is made available to participants at the start of the project and consent to participate can be withdrawn at any time.

How is personal information used?

We collect, store and process personal data to:

administer the Society’s membership system

communicate via our e-newsletter with those who have subscribed to it

communicate with stakeholders about our research

enhance and modify our communications and services

meet obligations arising from any contract we have entered into

notify subscribers of any changes to the services we provide

organise events

process job and academic placement applications

provide user support for our Statutory Instrument Tracker

receive and process donations and legacies

respond to any enquiry made about our research and services

How long do we keep personal data for?

We retain personal data only as long as needed in relation to the activity for which it has been provided. Retention periods are reviewed regularly.

We are required to hold some types of information for longer periods to fulfil our contractual or legal obligations. For example:

where the activity involves some form of financial transaction, this is retained for at least seven years for auditing purposes.

personal data arising from research and education projects is retained for the length of time required by project grant terms and conditions. Where research data is archived for permanent preservation (e.g. focus group transcripts or survey results), this is cleaned of personal identifiers prior to deposit.

Who do we share personal data with?

We will not sell your data to a third party for direct marketing or any other purpose. It will be retained solely for the purpose(s) for which it was provided to the Hansard Society.

if we need to enforce our terms and conditions or other agreements for services that we provide

to Oxford University Press to process subscriptions for our journal, Parliamentary Affairs

Some data is shared with third party ‘processors’ that we utilise to carry out core business functions and deliver services. These include:

Active Campaign – CRM system

Braintree – online payments system

Digital Ocean – client host for online payments processing

Dropbox – cloud file storage

Give As You Live – online donations

G-Suite – email, calendar, contacts and Google Analytics

Netlify – online form functionality for website

PayPal – online payment provider

Picatic – event registration

Zapier – online task automation tool

When using third party service providers to process data on our behalf, we disclose only the personal information that is necessary to deliver the function or service required. This may involve the transfer of data outside the European Economic Area (EEA) depending on where the third party’s servers are based. However, all have their own Privacy Policies and operate under the EU-US Privacy Shield initiative, certifying that they meet EU data protection standards.

Legal base(s) for processing personal data

Depending on the nature of the activity or service for which personal data has been collected and stored, our ‘legal base’ for processing it is one of the following four provisions. The examples given are illustrative not exhaustive.

1. Consent: the individual whom the personal data is about has consented to the processing.

For example, the processing of personal data (name/email address) required for electronic dissemination of our newsletter is based on Consent, as subscribers voluntarily gave their data to us for this specific purpose and confirmed their request via email. Each newsletter contains a clear link to enable users to unsubscribe.

2. The processing is necessary in relation to a contract which the individual has entered into or because the individual has asked for something to be done so they can enter into a contract.

For example, in relation to any processing of personal contact and financial data where a person applies to become a Hansard Society member, books a place on a training course, requests a demonstration of, or subscribes to, our Statutory Instrument Tracker, or orders a publication for electronic download or home delivery.

3. The processing is necessary because of a legal obligation that applies to us.

For example, in relation to the processing of personal and academic data provided by applicants to the Hansard Society Scholars Programme, and their home universities, and which is governed by QAA regulatory requirements, UKVI Tier 4 licence requirements, and security clearance requirements to work in Parliament.

4. The processing is in accordance with a ‘legitimate interest’

For example, to meet our charitable objectives we collect and process limited forms of personal data (name, email, organisation and role/job title) in order to disseminate our research findings to stakeholders (including parliamentarians and the media) and convene debate on topical political issues. Data processing is undertaken only on a limited, as-required basis and recipients have the option to unsubscribe.

Cookies

Like many other organisations we use Cookies to record visits to our website. A cookie is installed on your computer enabling our website to recognise and track your interaction with the site. These enable us to gather statistics on use of the site, which in turn help inform our plans for future developments to improve the user experience.

Using Google Analytics, we track and analyse aggregated statistical data about online visitor behaviour and events: for example, as a percentage of our users, what is their journey through the site, what technology (platform) do they use, what is their browsing time and duration, what pages do they visit, how are they referred to and from the site?

Users can set their browsers to block cookies but this may result in a loss of functionality in relation to some of our website features.

Children’s privacy

We do not generally work with those aged 18 or under. An exception to this is our Mock Elections in Schools project held in advance of every general election for over five decades. Schools submit data detailing their mock election results, including the names, age, and class of participating pupils. Photographs and videos have also been sent to the Society, including via social media. Unless documentation has been provided by the schools granting specific permission for the processing of this personal data we do not use it.

We have deleted historic data from our mock election programme files. We have retained aggregate electoral result information at school level for future research purposes and archival preservation. However, personal data – pupil and teacher names, contact details – has been reviewed and deleted.

Your rights in relation to the personal information that we hold

You have a right …

To be informed – about the collection and use of your personal data.

Of access - you have the right to access your personal data and supplementary information, and be aware of and verify the lawfulness of the processing.

To rectification – you can ask that your information be updated or corrected.

To be forgotten (erasure) – you can ask that your information be permanently deleted.

To restrict processing – you can ask to limit the way in which we use your data.

To data portability – you can ask to have your information transferred to another organisation.

To object – you can seek to prohibit certain uses of your personal data (processing based on legitimate interest or the performance of a task in the public interest).

Not to be subject to automated decision-making and profiling. (We do not use these forms of data processing.)

Access requests

If you want to know what personal data we hold about you, how and why we process it, and receive a copy of that data, you can ask us for it. Formally, this is known as a ‘data subject access request’ (DSAR).

To submit a request for access to any personal data we hold and process about you, contact the Society in writing, by email or by telephone at:

By law we must respond to your request within one month, unless the request is deemed ‘complex’. We will provide information about the personal data requested usually in a structured, machine readable format. In most instances, for the data we hold and process, that will be in the form of a downloadable .CSV file. Depending on the nature of the request, however, the information may be provided in other formats.

You also have the right to submit a complaint to the Information Commissioner who is responsible, in the UK, for supervision of data protection (https://ico.org.uk/concerns).

Changes to this privacy policy

This policy was updated in accordance with the General Data Protection regulation (GDPR) 2018 and the Data Processing Act 1998.

We will amend the policy from time to time as required. This will be highlighted on our website, email communications, and e-newsletters, as well as in updates to terms and conditions governing our provision of services.

DATE: 17 May 2018

Join our newsletter

Get the latest updates on our research and events, together with expert comment and analysis, delivered to your inbox each month.

Please skip this field: First namePlease review this fieldSurnamePlease review this fieldEmail addressPlease review this field